Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 265342 (CVE-2009-1301) - <media-sound/mpg123-1.7.2: Signedness error (CVE-2009-1301)
Summary: <media-sound/mpg123-1.7.2: Signedness error (CVE-2009-1301)
Status: RESOLVED FIXED
Alias: CVE-2009-1301
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://sourceforge.net/project/showno...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-04-07 15:59 UTC by Alex Legler (RETIRED)
Modified: 2009-04-16 22:08 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-04-07 15:59:25 UTC
From Secunia:

A vulnerability has been reported in mpg123, which can be exploited by malicious people to potentially compromise a user's system.

The vulnerability is caused due to a signedness error in the "store_id3_text()" function in libmpg123/id3.c. This can be exploited to trigger an out-of-bounds memory access and potentially execute arbitrary code via a specially crafted ID3 tag.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in versions prior to 1.7.2.
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-04-07 16:00:01 UTC
Loud-making people: Please bump!
Comment 2 Alexis Ballier gentoo-dev 2009-04-08 08:11:44 UTC
in cvs
Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-04-08 08:30:14 UTC
Arches, please test and mark stable:
=media-sound/mpg123-1.7.2
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 4 Brent Baude (RETIRED) gentoo-dev 2009-04-08 13:15:36 UTC
ppc and ppc64 done
Comment 5 Jeroen Roovers gentoo-dev 2009-04-08 17:03:01 UTC
Stable for HPPA.
Comment 6 Tobias Klausmann gentoo-dev 2009-04-08 17:13:20 UTC
Stable on alpha.
Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2009-04-08 19:58:09 UTC
amd64 stayble
Comment 8 Friedrich Oslage (RETIRED) gentoo-dev 2009-04-08 20:57:35 UTC
sparc stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2009-04-10 13:22:45 UTC
ia64/x86 stable
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2009-04-11 20:51:58 UTC
GLSA request filed.
Comment 11 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-04-16 21:52:07 UTC
CVE-2009-1301 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1301):
  Integer signedness error in the store_id3_text function in the ID3v2
  code in mpg123 before 1.7.2 allows remote attackers to cause a denial
  of service (out-of-bounds memory access) and possibly execute
  arbitrary code via an ID3 tag with a negative encoding value.  NOTE:
  some of these details are obtained from third party information.

Comment 12 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-04-16 22:08:30 UTC
GLSA 200904-15